We have a Windows 2008 R2 server box, which connects to a Customer VPN.

Customer VPN:

Assigns a 10.10.10.x IP when connected

Owns a resource in their 172.x.x.x subnet that I needs to access

On the server:
- I've set a route for 172.x.x.x to be directed to the Customer VPN server so that I can access the resource
- I've set up my own VPN so I can connect remotely on 192.168.168.x

How can I access the 172.x.x.x network from my home PC when connected to my server's VPN?

I tried setting up a 172.x.x.x route to my Server VPN IP but that didn't work, presumably because the Customer VPN doesn't know about my own subnet.

Edit: There are two reasons that I want to access the Customer VPN through my Server's VPN: a) it contains a DB that I wanna develop against from my home/dev PC and b) my home router doesn't support VPN pass through so I cannot connect directly.

2 Answers
2

Does the VPN software you are using to open the connection permit routing?

Do you have routing installed on your windows server and are you using an MS vpn tunnel between two servers? From what you've said it sounds like a vpn client and not this.

If the server is being assigned a single IP then it appears on the clients network as that IP and not with your internal IP. If you want to connect from another PC then your server is going to have to not only route connections from your pc to their server but its also going to have to NAT the traffic to that assigned IP.
Does what you are using support that?

When your home PC connects, there are more complications. Your home PC recieves an ip in your subnet... but normally will only route traffic for that subnet to your office. You need to 'push' out the route for 172.x.x.x to your pc. It depends on the software you are using as to how you do this.

The ideal is to open a point-to-point link and to route between the two networks. For this to work you will need their cooperation and a router/fw to open an ipsec tunnel between the two. This way they will send all traffic for your subnet to your router and your router will send all traffic destined for 172.x.x.x to their router.

Interconnecting Networks is not rocket science - its a bit more like watchmaking. Thousands of little tiny details. If one bit is out of place it doesn't work.

Simplest soution: buy a new router for home for 50$ and save yourself a lot of trouble.

UPDATE: if you are going to be changing things and you don't have a big setup then I'd recommend just buying a little sonicwall firewall and letting that handle the ipsec tunnel and remote access. It removes much of the headache and they cost next to nothing. Running RAS on a windows server introduces all sorts of fun problems with blocked ports and routing... thats why everyone usually dedicates a server to RAS and nothing else.

I don't know how you are planning to open this site-to-site tunnel. Are you planning to use IPSec, Openvpn or pptp or something else?

A site to site connection means that the whole 172.x.x.x subnet should be able to reach your whole 192.168 (or whatever you use) subnet... Unless a rule filters the traffic somewhere.

When connect to your office you are assigned an ip in 192.168.x.x so you should be able to reach the remote subnet from home.

Complications:
-The relaying of packets from a dialin client to a remote subnet may be restricted by the server by default - depending on what software you use.
- you will need to 'push' out a route to 172.x.x.x to your dial in client so it knows to send that traffic to your office
- If you are on your own, setting this up and debugging it while connected from home is even more fun and games

Thanks for the elaborate response. We'll be moving to a new server setup soon which will allow us to do site-to-site VPNs so I guess I'll wait for that. Let me ask you - when this happens, and our servers (we'll have two) will be on a site-to-site VPN with the customer site(s) - how will I able to be part of that from home? Do I just need to dial-up into our side of the VPN and get an IP within it? Please edit your answer with this additional info so I can select it as the right answer. Thank you!
–
georgiosdNov 10 '11 at 11:13

Thanks for the update. The data center will be figuring out the site-to-site VPN. I guess it'll be IPSec. I'll commment back when this is up - it's taking some time...
–
georgiosdNov 10 '11 at 22:53

If its ipsec just buy yourself a firewall and do it with that. You'll just waste too much time and cause yourself too much grief if you do this on your server. Firewalls and cheap and do their job very well. If something goes wrong while you are configuring them you only mess up the fw. Do the same on your server and you can lock out your users.
–
Ian MurphyNov 14 '11 at 11:13

Can you not RDP into the Windows 2008R2 server from your home machine, and then connect to the client site via VPN that way? And are you referring to a site-to-site VPN tunnel that's always up, or a client VPN connection instantiated on demand, a la the Cisco IPSec client?

RDPing defeats the point really - I'd have to install all my developer tools on the server, which doesn't make sense. It's a normal Windows dial-up VPN.
–
georgiosdNov 9 '11 at 14:13

If it's dialup VPN, you'll never get it to work. About the only thing that ever will work in that scenario is if it's a static point-to-point tunnel. Remember - bog standard client VPN creates a virtual NIC, which then directs traffic from endpoint A (you) to endpoint B (server) on demand. There are no routing tables/rules that are visible outside that virtual NIC. So you will never be able to daisychain through it from any machine other than the server. Either you'll have to install the VPN client on your home machine, or use RDP to the server. It won't work any other way.
–
DriftpeasantNov 9 '11 at 18:03